Facebook Is Working on Self-Protecting Mobile Apps

SAN FRANCISCO -- Facebook Chief Security Officer Alex Stamos said that his company is building mobile apps that can protect themselves, even if an operating system on a device isn’t patched.

Speaking Thursday at the AppSec USA 2015 conference here, Mr. Stamos said that mobile application developers can’t assume that their apps are running on up-to-date systems. “The number of people who are running the latest version of Android with all of the security patches and all of the preventative anti-exploit features is actually quite small,” he said. “As a result, we end up in a situation where we are deploying product out to people where we can’t trust the operating system that wraps around it,” he said.

For example, data gathered for Android developers shows that only 5.1% of users are on the most recent Android Lollipop 5.1, available to many phones since March, while 94.9% of users are on an earlier version. The data was collected during a 7-day period ending on September 7, 2015.

“You have to assume that your operating environment is one where a significant number of your users are on platforms that can’t be patched,” he said.

One of the things Mr. Stamos suggests to app makersis to make sure appdata on phonesis encrypted at rest. He points to Android malware that seeks to find all of the unencrypted databases and exfiltrate them. “You can’t make it impossible but you can make it harder by doing encryption using local data protection application programming interfaces,” he said.

Mr. Stamos told CIO Journal that Facebook has done quite a bit of work in its mobile apps with a protocol called transport layer security that ensures privacy between communicating applications and their users on the Internet. When a server communicates with a mobile app, TLS makes sure no third party may eavesdrop or tamper with the message.

Some TLS bugs have recently been discovered. In March, Microsoft Corp. researchers found a bug called FREAK that essentially lets someone listen in and trick users to essentially downgrading security on their devices that would make it much easier for a hacker to break in.

“One of the things we’ve done on the Facebook side is we’ve focused on getting rid of the TLS bugs from the base [Android] operating systemso our Android app…ships with the TLS library that we built from scratch,” said Mr. Stamos. Instead of relying on a potentially buggy mobile Android operating system or browser to provide security when the Android Facebook app communicates with the server, it simply relies on the TLS code downloaded with the app.

The idea is to make the application itself more secure, regardless of what the operating system is doing. However, making apps self-protecting is likely to make apps that are much bigger in size as the needed security elements are added.

“I think we’re going to end up in a future which is not good for download sizes but is probably good for [application security] where more and more apps are going to have more and more things replaced,” he said.